Headline
CVE-2023-43344: GitHub - sromanhu/CVE-2023-43344-Quick-CMS-Stored-XSS---SEO-Meta-description: Quick CMS 6.7 is affected by a Cross-Site Scripting (XSS) vulnerability that allows attackers to execute arbitrary code vi
Cross-site scripting (XSS) vulnerability in opensolution Quick CMS v.6.7 allows a local attacker to execute arbitrary code via a crafted script to the SEO - Meta description parameter in the Pages Menu component.
Quick CMS Stored XSS v6.7****Author: (Sergio)
Description: A Cross-Site Scripting (XSS) vulnerabiliti in Quick CMS v6.7 allows a local attacker to execute arbitrary code via a crafted script to the to the SEO - Meta description in the Pages Menu.
Attack Vectors: Scripting A vulnerability in the sanitization of the entry in the Meta description of “Pages- SEO” allows injecting JavaScript code that will be executed when the user accesses the web page.
POC:
When logging into the panel, we will go to the “Pages - SEO .” section off General Menu.
We edit that SEO Settings and see that we can inject arbitrary Javascript code in the Meta Description field.
XSS Payload:
'"><svg/onload=alert(‘XSS’)>
In the following image you can see the embedded code that executes the payload in the main web.
Additional Information:
https://opensolution.org/cms-system-quick-cms.html
https://owasp.org/Top10/es/A03_2021-Injection/